2. Forbidden fruits of Active Directory
Cloning – Snapshotting - Virtualization
Benjamin Logist
Wim Henderyckx
Premier Field Engineer – Microsoft Services
5. Importance of Virtualization in IT
Well-established & still growing trend
widely adopted across all market segments
Often, a business-decision driven by cost savings
fewer machines require less space and power
consolidate server hardware for optimal hardware utilization
… also provides numerous technological conveniences
Virtualization paves the way toward private-cloud deployments
reduces deployment and management complexity
offers redundancy and dynamic-scale capabilities
7. Virtualization of Domain Controllers
Pre-Windows Server 2012
DCs successfully deployed on virtualization platforms for many years
according to a set of well-defined best-practices
best-practices advised against actions that could disrupt Active Directory
Best-practices guidance cautioned against:
applying snapshots on virtual domain controllers
exporting a virtual machine that is running a domain controller
copying virtual hard disks (VHDs)
Hypervisor admins not necessarily aware of Active Directory’s
requirements or best practices
8. Virtualization Challenges
Virtual machines offer snapshot capabilities
potentially problematic for distributed
applications
Why?
applications experience a logical-clock shift
operations happen outside of the
OS’/application’s awareness
Active Directory’s logical clock is its USN
(update sequence number)
9. How Domain Controllers are Impacted
Impact to replication
lingering objects
inconsistent passwords
inconsistent attribute values
schema mismatches if the Schema FSMO is rolled back
Potential for security principals to be created with duplicate SIDs
resulting in unauthorized access to resources for a period of time
the affected users will no longer be able to logon
13. Safe Domain Controller Virtualization
Windows Server 2012 virtual DCs able to detect when:
snapshots are applied
a VM is copied
Detection built off a VM-generation identifier (VM-generation ID)
VM-generation ID is changed when features such as VM-snapshot are used
14. Active Directory’s Safe Virtualization
VM-Generation ID provided by the hypervisor platform
a unique 128-bit identifier that guest operating systems and applications can leverage
made available to applications through Windows Server 2012 driver
Windows Server 2012 virtual DCs track the VM-Generation ID
allows the DC to detect changes and protect Active Directory
15. Safe Domain Controller Virtualization
DC1(A)@USN = 200
DC1(A)@USN = 200
DC1(A)@USN = 250
USN re-use avoided and USN rollback PREVENTED : all 250 users converge correctly across both DCs
18. Cloning Architecture
VDC Cloning at 30,000 Feet (Nine Steps)
Prepare the environment
1. Validate that the hypervisor supports VM-Generation ID.
2. Select a valid Source DC running W2K12.
3. Verify that the PDCE FSMO is Windows 2012.
19. Cloning Architecture
VDC Cloning at 30,000 Feet (Nine Steps)
Prepare the source DC
4. Authorize a DC for cloning.
5. Remove incompatible components.
6. Take the source DC offline.
20. Cloning Architecture
VDC Cloning at 30,000 Feet (Nine Steps)
Create the cloned DC
7. Copy or export the source VM and add the XML if not
already copied.
8. Create a new VM from the copy.
9. Start the new VM to commence cloning.
25. Rapid Deployment: Cloning Decision Flow
BOOT
Generation ID No Does
DCCloneConfig.xml
available?
exist?
Yes Yes
Does
DCCloneConfig.xml
No No Has Generation
exist? REBOOT INTO
ID changed?
DSRM
Yes
Yes
Rename No
DCCloneConfig.xml Does
DCCloneConfig.xml
exist?
BOOT Yes
NORMALLY
INITIATE
CLONING
26. Cautionary Notes
Only Windows Server 2012 virtual Domain Controllers can be cloned
Requires PDC FSMO to be Windows Server 2012 DC
Deploying clone DCs on virtualization platforms that don’t provide VM-
Generation ID will:
with DCCloneConfig – cause clone DC to boot into Directory Services Restore Mode (DSRM)
without DCCloneConfig – potentially introduce a USN bubble and duplicate SIDs
disrupts the Active Directory environment
Do not change/swap/switch VHDs on existing VMs
VM-Generation ID does not change in Windows Server 2012 Hyper-V
27. Summary
Windows Server 2012 enables a much richer Active Directory
virtualization experience
domain controllers can be virtualized without the concerns of the past
Enables the rapid deployment of domain controllers by leveraging the
virtualized platform’s native capabilities
Saves critical time during forest/domain recovery
Trivializes scale-out to meet the needs of the environment